What certificate are you using for your Exchange server?


I’m trying to gather some additional data to help address this problem. If you’ve had trouble syncing to the exchange server because you couldn’t add root certs, can you please give me this information:


– Was this a self-signed certificate or was it purchased from an SSL vendor?


– If purchased, from which vendor?


– Did the CAB file method help you out? If not, what device do you have? I believe that method will work for most devices in the market, but I’m interested to know if any shipped in a configuration where that won’t work and the operator/OEM haven’t provided a solution.


Thanks for your input – my team has been working on solving this problem for future releases for quite some time now, but this information will help us further. I’ll post the details about our work when the release becomes public information.


 


Thanks,


Scott

Comments (27)

  1. Daern says:

    Scott,

    We use a self-signed cert from a root CA generated by Certificate Services. Works a treat on our devices, apart from…

    Deploying it can be a bit of a pain on WM5 – we’ve found that on quite a few devices, installing the cert via a CPF or CAB file did not work unless the CAB file was signed against a privileged CA – a regular signed CAB wasn’t enough.

    Even this seems to be problematic on some devices (O2 XDA Mini-S and IQ in the UK) and we’ve now resorted to a setup.dll which shoves the cert in through the API directly. This works on many more devices and seems much less prone to errors. Again, the DLL and CAB file need to be signed privileged to work.

    Once it’s all configured and install, it works a treat and we have few problems. Just took a bit of pain to get there. Even the mobile operators themselves can have difficulties with this!

    Daern

  2. Rick Jensen says:

    The one client I tried this with uses Self-signed SSL certs in an Exchange 2003 environment, and Audiovox phones with WM5 (sorry, I don’t recall the model, it was the latest one at the time). We tried several variations on the CAB method described, no luck (This was a few months back, so there may be more info out now that I haven’t seen).

    The customer was very disapointed, and ended up returning the phones to the vendor – who promptly put them in a drawer with a bunch of other ones, returned for the very same reason! So I’ve not had to try again.

    A college of mine has several Windows 2003 SBS boxes with various clients, and could not get any method to work either (Sorry, no details on which phones those were).

    RJ

    Seattle, WA

  3. MJG says:

    Our exchange server uses certificate from Equifax (Secure Global eBusiness CA-1). I’ve tried both running the exported certificate from the t-Mobile MDA running WM 5.

    I have no problem synching without "requires SSL" checked but get invalid certificate message on my device when I turn this feature on.

  4. MJG says:

    Oops, didn’t finish my post. I tried running the exported cert (which wouldn’t install, saying it was inaccessible) as well as the cab method shown above, which made no difference in the behavior.

    I have to turn off SSL in my server settings in the MDA in order to get server synchronization to work.

  5. scyost says:

    MJG – when you did the cab method, did it succeed? Did the cert show up in the control panel? When you look at the certificate chain in desktop IE, how many certs are there between the root and the server cert?

  6. Rory says:

    We use a cert from InstantSSL. I have had to use an unlocking tool on all of our devices that wont allow this cert to be installed.

    Just copied and created the cert from within Firefox and then saved it as whatever.cer copied to device and installed it once its been unlocked.

    Its a bit annoying that you cant install any cert on a WM5 device.

  7. Such says:

    We use a cert from http://cert.startcom.org/ that is free. I just copy the file onto the devices, click on it to install and the smartphone (Cingular 2125) and PDAs (Dell Axims) work great.

  8. MJG says:

    scyost: The certificate does indeed show up in the certificate applet.

    Looking at the certification path, our cert (owa.fimc.net) is directly beneath the Equifax Secure Global eBusiness CA-1 cert.

  9. RBS says:

    Attempted CAB work around for a verizon XV6700 with a self signed cert.  Activesync still doesn’t work.  Only difference I can see between added cert and preloaded root certs is under intended purpose(s).  Added cert says server authentication, preloaded say all purposes.

  10. Chris says:

    We use a self-signed cert.  I have a WM5 Smartphone. I had to use a free regedit tool to change some settings for the CAB method to work.

    Now it works fine.

  11. sirchandler says:

    Rory: I have found a few nice little tools that import certs into a WM5 device. It worked for me.

    http://www.jacco2.dds.nl/networking/p12imprt.html

    http://www.jacco2.dds.nl/networking/pfximprt.html

    http://www.jacco2.dds.nl/networking/crtimprt-org.html

  12. Arne Lovius says:

    I’ve used a variety of different certificates.

    Tried using self signed ones, but there was no method that I could get to work of putting the root onto an Orange C600…

    there are two InstantSSL root certs, you need to use the GTE one for it to work without changes to the WM5 device. I’ve also used the cheap certificate from Godaddy which is also in the built in root certs.

  13. Rain_Man says:

    Windows Mobile AKU2 Certificate authentication is broken!

    I would advise any business who is considering deploying Windows Mobile 5 AKU2 and intending to use Client Certificate authentication to just pass on it.  It is not supportable with the current release (I will explain technically why below) and what is worse Microsoft will not be fixing it in AKU3 they will only fix the bug in Crossbow.  

    Here is a technical run down of the issue:

    Setup:

    Configure your Exchange 2003 SP2 with the Mobile devices feature pack to be able to use ActiveSync and require Client Certificate authentication

    Configure Kerberos Constrained Delegation

    Configure ISA 2004 to tunnel the SSL connection to the Exchange FE server over SSL  with a permanent external DNS address.

    If you are using self-signed certificates then import the .CER files onto the devices

    Configure AD with the correct XML files to allow ActiveSync to find the Certificate Servers internally

    Cradle your device and configure the external mail server address

    The device will sync correctly

    Remove the device from the device from cradle and initiate a sync

    The device will sync over the air correctly with the Exchange Server

    To create the failure:

    With the ISA 2004 server up stop the W3 service on the Exchange 2003 server simulating a down Exchange server.  

    Force a sync from the device.  

    The device will fail to sync in most cases with a “certificate required” failure.  

    Restart the W3 service on the Exchange server

    Attempt to sync again

    Sync will still fail and will never work again until the device is re-cradled.

    The net effect of this is client certificate authenticated ActiveSync is not supportable in a enterprise environment because you cannot ever take down the Exchange servers for maintenance.

    This issue is caused from what I hear because someone in the Windows Mobile team at MS accidentally left some test code in the build that deletes the client certificate and resets registry key so it will not even attempt to sync even if there is another client authentication certificate in the store.  

    From what I hear the product team has the fix but has chosen not to include it in the AKU3 build but only in Crossbow.  Does anyone in the product team wish to comment on this before it hits Infoworld?  

  14. Chris Kinsman says:

    FreeSSL certificate

    Cingular 2125

  15. Les Carleton says:

    I’m using a self-signed cert from Windows Certificate Server on Exchange 2003 an WM2003SE. Haven’t had any problems once I loaded the root public cert onto the device.

  16. Mike says:

    1) We purchased ours from a vendor.

    2) The cert is signed by UTN-USERFirst-Hardware.

    3) I was able to export the cert in DER format with a .cer extension. I copied the .cer file over to a Cingular 8125 via Activesync. I was able to install the .cer file natively on the device. The cert shows up under certificates/ROOT under system on the device.

    Once i enable Require SSL, I get the invalid cert error. If i uncheck Require SSL, it works fine.

    Any way to fix this would be helpful. My guess is that my SSL Vendor does not play well with MS Mobile 5.0 and I am just out of luck….

  17. vern says:

    I use a cert from my own CA, and I install it via the https://my.domain.com/certsrv interface. Works like a charm every single time.

    This is on both a WM2003 and WM5 PocketPC Phone, and I’ve installed the cert from both inside and outside my network. It’s wonderful to be able to completely wipe the memory on the phone and have it back to the same status in about 20 minutes. (Assuming I’ve got my SD card with all my PPC software with me)

  18. Vaibhav says:

    Hi,

    I need to connect to a wifi network which uses ms-chap v2 authentication and requires a certificate. But my WM5 device after asking for login info says it does not trust the certificate. Is there any way to force the device into accepting the certificate. The IT dept said they cant be bothered. I NEED HELP.

    Thanks

  19. Taja says:

    Vaibhav,

    I also use 802.1x PEAP and ms-chap v2 at work to authenticate to the network using my wireless device.  I too had problems connecting until I figured out what I needed to do.  You will first need to obtain the correct Root Certificate.  I did a little playing around with multiple root certificates to finally find the correct one.  If you have a desktop or laptop, you can find the root certificates by looking under IE>Tools>Internet Options>Content tab>Certificates button. Go to the Trusted Root Certificates tab and look through the list.  The one that I needed was pretty obvious as it had the name of my company in the certificate name.  If you are not sure, you may also be able to tell by double-clicking on each to review the Details tab.  There you may see something familiar in one of the Distribution Path fields like your company server domain.  

    If you find a couple that could be correct you can export them by clicking on the Export button from the Trusted Root Certificates tab and export it in DER binary format.  Give the file a name and save it to a directory that you will remember.  Once you save the file, you will need to move it to your device usint ActiveSync or by copying to a flash drive that you can insert into your device.  Once on your device, navigate to the file using Pocket Explorer and double-click on the file.  You may get a warning message asking you whether or not you trust the certificate.  Click OK and Windows Mobile will install the certificate on your device.  

    After I installed the certificate, I entered my username, password and domain and was able to finally connect without getting the message that I needed a personal certificate.  It worked for me.  If your network uses some other protocol besides 802.1x PEAP, eg Smart Card or Certificate, you may need to obtain a Personal Certificate first from the server and install it on your device.  For that you will need a third party app since WM does not allow you to install peronal certificates (root certificates yes, but not personal certificates).  You can do it, it’s just more complicated.  I at first went through all the hoops thinking I needed a personal certificate when all I needed was to install the Root Certificate and I was on my way.

    Hope this helps.

  20. We use Startcom free SSL cert.

    The Root cert did install with the cab file method on a Qtek 9100 (AKU2) that was not locked. The intermediate cert did NOT install with the cab method, regardless if designated CA or ROOT in the _setup.xml file. Luckily both certs did install just by clicking on them (.cer).

  21. Hi,

    There is a known issue where wildcard certificates are not supported.  This support should be added to WM5 and future devices.

  22. scyost says:

    The client auth bug that rain man mentions above is actually fixed in one of the AKU3 drops. (there are several flavors of AKU3)

  23. Here you go:

    http://www.granitetek.com/faqs.htm

    This will walk you through syncing wm5 using non-std ssl certs

  24. Ron says:

    Equifax Secure Global eBusiness CA-1 exchange 2003, my moto q will not install the cert, not the cab version, it said security permissions were insufficient or Installation was unsuccessful.

  25. DanielK says:

    I use rapidSSL and try to import the Geotrust "Root 5 – Equifax Secure Global eBusiness CA-1" needed for that certificate to be able to sync with Exchange. Importing the root certificate works great on our WM6 devices but is a pain on WM5 smartphone (HTC MTeor). I still have not got this to work as I am not allowed to install certificates on my device. Nor have I been able to find a regedit app that allows me to save changes made to the registry to disable the installation locks. It is just silly.

  26. Deepak Rai says:

    I want to download a windows mobile 6.0 certificate. kindly provide me the path for the same on my gmail account.. So i will be greatful to you all..

    Thanks & regards

    Deepak

  27. Remy says:

    I have a HTC P4350 smarthone with Windows Mobile version 5.

    Before I used a self signed certificate which I also imported on my HTC device. This worked very well. No problems with synchronising.

    I just purchased a equifax certificate for my exchange server. After installing the equifax certificate the HTC device would not synchronise. Evidently this has to do with recognising the new certificate.

    Strangely enough when connecting with OMA protocol (using the build in internet explorer) the new equifax certificate does work.

    People in my office with a iPhone 3G device doesn’t seem to have any problems with the new equifax certificate and synchronising.

    I’ve tried to uninstall (delete) the previous self signed certificate on the HTC devise so it would have no other option than to switch to the equifax certificate. Unfortunately this was no solution.

    Any ideas how to solve this problem?